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NEW QUESTION 1 
- (Topic 1) 
The Terminal Access Controller Access Control System (TACACS) employs which of the following? 


A. a user ID and static password for network access 

B. a user ID and dynamic password for network access 

C. a user ID and symmetric password for network access 
D. auser ID and asymmetric password for network access 


Answer: A 


Explanation: 
For networked applications, the Terminal Access Controller Access Control System (TACACS) employs a user ID and a static password for network access. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44. 


NEW QUESTION 2 
- (Topic 1) 
Which of the following pairings uses technology to enforce access control policies? 


A. Preventive/Administrative 
B. Preventive/Technical 

C. Preventive/Physical 

D. Detective/Administrative 


Answer: B 


Explanation: 

The preventive/technical pairing uses technology to enforce access control policies. 

TECHNICAL CONTROLS 

Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and 
software, and related devices. Technical controls are sometimes referred to as logical controls. 

Preventive Technical Controls 

Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these 
controls include: 

Access control software. Antivirus software. Library control systems. Passwords. 

Smart cards. Encryption. 

Dial-up access control and callback systems. 

Preventive Physical Controls 

Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, 
supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters. Examples of these controls include: 

Backup files and documentation. Fences. 

Security guards. Badge systems. Double door systems. Locks and keys. Backup power. 

Biometric access controls. Site selection. 

Fire extinguishers. 

Preventive Administrative Controls 

Preventive administrative controls are personnel-oriented techniques for controlling people’s behavior to ensure the confidentiality, integrity, and availability of 
computing data and programs. Examples of preventive administrative controls include: 

Security awareness and technical training. Separation of duties. 

Procedures for recruiting and terminating employees. Security policies and procedures. 

Supervision. 

Disaster recovery, contingency, and emergency plans. User registration for computer access. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 

Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34. 


NEW QUESTION 3 
- (Topic 1) 
Which type of password token involves time synchronization? 


A. Static password tokens 

B. Synchronous dynamic password tokens 
C. Asynchronous dynamic password tokens 
D. Challenge-response tokens 


Answer: B 


Explanation: 

Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, so the server and token need to be synchronized for the 
password to be accepted. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 37). 

Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, chapter 4: Access Control (page 136). 


NEW QUESTION 4 
- (Topic 1) 
The type of discretionary access control (DAC) that is based on an individual's identity is also called: 


A. ldentity-based Access control 
B. Rule-based Access control 
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C. Non-Discretionary Access Control 
D. Lattice-based Access control 


Answer: A 


Explanation: 

An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. 

DAC is good for low level security environment. The owner of the file decides who has access to the file. 

If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header and/or in an access control matrix within the operating 
system. 

Ownership might also be granted to a specific individual. For example, a manager for a certain department might be made the owner of the files and resources 
within her department. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific 
resources. 

This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit 
managers , are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. 
Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 220). McGraw- Hill . Kindle Edition. 


NEW QUESTION 5 
- (Topic 1) 
Which access control model achieves data integrity through well-formed transactions and separation of duties? 


A. Clark-Wilson model 

B. Biba model 

C. Non-interference model 
D. Sutherland model 


Answer: A 


Explanation: 

The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called 
an access triple, which prevents unauthorized users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity based on 
a hierarchical 

lattice of integrity levels. The non-interference model is related to the information flow model with restrictions on the information flow. The Sutherland model 
approaches integrity by focusing on the problem of inference. 

Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 12). 

And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security Management, CRC Press, 1997, Domain 1: Access Control. 


NEW QUESTION 6 

- (Topic 1) 

Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's 
identity which permit access to system services? 


A. Single Sign-On 
B. Dynamic Sign-On 
C. Smart cards 

D. Kerberos 


Answer: A 


Explanation: 

SSO can be implemented by using scripts that replay the users multiple log- ins against authentication servers to verify a user's identity and to permit access to 
system services. 

Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must 
select the 

BEST one. The high level choice is always the best. When one choice would include the 

other one that would be the best as well. 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40. 


NEW QUESTION 7 
- (Topic 1) 
What refers to legitimate users accessing networked services that would normally be restricted to them? 


A. Spoofing 

B. Piggybacking 
C. Eavesdropping 
D. Logon abuse 


Answer: D 


Explanation: 

Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users 
who may be internal to the network but access resources they would not normally be allowed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep 
Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: 

Telecommunications and Network Security (page 74). 


NEW QUESTION 8 
- (Topic 1) 


Your Partner of IT Exam visit - httos:/www.exambible.com 


We recommend you to try the PREMIUM SSCP Dumps From Exambible 
exambible https:/www.exambible.com/SSCP-exam/ (1074 Q&As) 
Which of the following is most affected by denial-of-service (DOS) attacks? 


A. Confidentiality 
B. Integrity 

C. Accountability 
D. Availability 


Answer: D 


Explanation: 
Denial of service attacks obviously affect availability of targeted systems. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 61). 


NEW QUESTION 9 
- (Topic 1) 
Which of the following would be used to implement Mandatory Access Control (MAC)? 


A. Clark-Wilson Access Control 
B. Role-based access control 

C. Lattice-based access control 
D. User dictated access control 


Answer: C 


Explanation: 

The lattice is a mechanism use to implement Mandatory Access Control (MAC) 

Under Mandatory Access Control (MAC) you have: Mandatory Access Control 

Under Non Discretionary Access Control (NDAC) you have: Rule-Based Access Control 

Role-Based Access Control 

Under Discretionary Access Control (DAC) you have: Discretionary Access Control 

The Lattice Based Access Control is a type of access control used to implement other access control method. A lattice is an ordered list of elements that has a 
least upper bound and a most lower bound. The lattice can be used for MAC, DAC, Integrity level, File Permission, and more 

For example in the case of MAC, if we look at common government classifications, we have the following: 

TOP SECRET 

SECRET ----------------------- | am the user at secret CONFIDENTIAL 

SENSITIVE BUT UNCLASSIFIED UNCLASSIFIED 

If you look at the diagram above where | am a user at SECRET it means that | can access document at lower classification but not document at TOP SECRET. 
The lattice is a list f ORDERED ELEMENT, in this case the ordered elements are classification levels. My least upper bound is SECRET and my most lower 
bound is UNCLASSIFIED. 

However the lattice could also be used for Integrity Levels such as: VERY HIGH 

HIGH 

MEDIUM ---------- lam a user, process, application at the medium level LOW 

VERY LOW 

In the case of of Integrity levels you have to think about TRUST. Of course if | take for example the the VISTA operating system which is based on Biba then 
Integrity Levels would be used. As a user having access to the system | cannot tell a process running with administrative privilege what to do. Else any users on 
the system could take control of the system by getting highly privilege process to do things on their behalf. So no read down would be allowed in this case and this 
is an example of the Biba model. 

Last but not least the lattice could be use for file permissions: RWX 

RW --------- User at this level 


If I am a user with READ and WRITE (RW) access privilege then | cannot execute the file 

because | do not have execute permission which is the X under linux and UNIX. 

Many people confuse the Lattice Model and many books says MAC = LATTICE, however the lattice can be use for other purposes. 

There is also Role Based Access Control (RBAC) that exists out there. It COULD be used to simulate MAC but it is not MAC as it does not make use of Label on 

objects indicating sensitivity and categories. MAC also require a clearance that dominates the object. 

You can get more info about RBAC at:http://csrc.nist.gov/groups/SNS/rbac/faq.html#03 Also note that many book uses the same acronym for Role Based Access 
Control and Rule 

Based Access Control which is RBAC, this can be confusing. 

The proper way of writing the acronym for Rule Based Access Control is RUBAC, unfortunately it is not commonly used. 

References: 

There is a great article on technet that talks about the lattice in VISTA: http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx 

also see: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access 
control systems (page 33). 

and 

http :/Awww.microsoft-watch.com/content/vista/gaging_vistas_integrity.html 


NEW QUESTION 10 
- (Topic 1) 
Which of the following is an example of a passive attack? 


A. Denying services to legitimate users 
B. Shoulder surfing 

C. Brute-force password cracking 

D. Smurfing 


Answer: B 
Explanation: 


Shoulder surfing is a form of a passive attack involving stealing passwords, personal identification numbers or other confidential information by looking over 
someone's shoulder. All other forms of attack are active attacks, where a threat makes a modification to the system in an attempt to take advantage of a 
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vulnerability. 
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, chapter 3: Security Management Practices (page 63). 


NEW QUESTION 10 

- (Topic 1) 

In which of the following model are Subjects and Objects identified and the permissions applied to each subject/object combination are specified. Such a model 
can be used to quickly summarize what permissions a subject has for various system objects. 


A. Access Control Matrix model 
B. Take-Grant model 

C. Bell-LaPadula model 

D. Biba model 


Answer: A 


Explanation: 

An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures 
that programmers implement as table lookups that will be used and enforced by the operating system. 

This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs). 
Capability Table 

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the 
subject is bound to the capability table, whereas the object is bound to the ACL. 

Access control lists (ACLs) 

ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and 
they define what level of authorization is granted. Authorization can be specific to an individual, group, or role. ACLs map values from the access control matrix to 
the object. 

Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix. 

NOTE: Ensure you are familiar with the terms Capability and ACLs for the purpose of the exam. 

Resource(s) used for this question: 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5264-5267). McGraw-Hill. Kindle Edition. 

or 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Page 229 and 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1923-1925). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 14 
- (Topic 1) 
What does the (star) property mean in the Bell-LaPadula model? 


A. No write up 
B. No read up 
C. No write down 
D. No read down 


Answer: C 


Explanation: 

The (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower 
level of sensitivity is not permitted (no write down). 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 202). 

Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 5: Security Models and Architecture (page 242, 
243). 


NEW QUESTION 16 
- (Topic 1) 
Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines? 


A. TACACS 
B. Call-back 
C. CHAP 

D. RADIUS 


Answer: B 


Explanation: 

Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this 
system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the 
system from multiple 

locations, making call-back inappropriate for them. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 44). 


NEW QUESTION 20 
- (Topic 1) 
The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? 


A. clipping level 
B. acceptance level 
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C. forgiveness level 
D. logging level 


Answer: A 


Explanation: 

The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. 
That action may be to log the activity, lock a user account, temporarily close a port, etc. 

Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user's account after three failed login 
attemts, that is the "clipping level”. 

The other answers are not correct because: 

Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security. 

Reference: 

Official ISC2 Guide - The term "clipping level" is not in the glossary or index of that book. | cannot find it in the text either. However, I'm quite certain that it would 
be considered part of the CBK, despite its exclusion from the Official Guide. 

Allin One Third Edition page: 136 - 137 


NEW QUESTION 22 
- (Topic 1) 
In discretionary access environments, which of the following entities is authorized to grant information access to other people? 


A. Manager 

B. Group Leader 

C. Security Manager 
D. Data Owner 


Answer: D 


Explanation: 

In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability 
to set permissions for that file. 

The following answers are incorrect: 

manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other 
people. 

group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other 
people. 

security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to 
other people. 

IMPORTANT NOTE: 

The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been 
entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a 
company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data 
Custodian (a technical person) what the classification and need to know is on the specific set of data. 

The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other 
subjects based 

on their identity. 


NEW QUESTION 24 
- (Topic 1) 
Controls to keep password sniffing attacks from compromising computer systems include which of the following? 


A. static and recurring passwords. 
B. encryption and recurring passwords. 
C. one-time passwords and encryption. 
D. static and one-time passwords. 


Answer: C 


Explanation: 

To minimize the chance of passwords being captured one-time passwords would prevent a password sniffing attack because once used it is no longer valid. 
Encryption will also minimize these types of attacks. 

The following answers are correct: 

static and recurring passwords. This is incorrect because if there is no encryption then someone password sniffing would be able to capture the password much 
easier if it never changed. 

encryption and recurring passwords. This is incorrect because while encryption helps, recurring passwords do nothing to minimize the risk of passwords being 
captured. 

static and one-time passwords. This is incorrect because while one-time passwords will prevent these types of attacks, static passwords do nothing to minimize the 
risk of passwords being captured. 


NEW QUESTION 27 

- (Topic 1) 

Which of the following is NOT a type of motion detector? 
A. Photoelectric sensor 

B. Passive infrared sensors 

C. Microwave Sensor. 

D. Ultrasonic Sensor. 


Answer: A 


Your Partner of IT Exam visit - httos:/(www.exambible.com 


We recommend you to try the PREMIUM SSCP Dumps From Exambible 
exambible https:/www.exambible.com/SSCP-exam/ (1074 Q&As) 


Explanation: 

A photoelectric sensor does not "directly" sense motion there is a narrow beam that won't set off the sensor unless the beam is broken. Photoelectric sensors, 
along with dry contact switches, are a type of perimeter intrusion detector. 

All of the other answers are valid types of motion detectors types. 

The content below on the different types of sensors is from Wikepedia: Indoor Sensors 

These types of sensors are designed for indoor use. Outdoor use would not be advised due to false alarm vulnerability and weather durability.Passive infrared 
detectors 


C:\Users\MCS\Desktop\1.jpg Passive Infrared Sensor 

The passive infrared detector (PIR) is one of the most common detectors found in household and small business environments because it offers affordable and 
reliable functionality. The term passive means the detector is able to function without the need to generate and radiate its own energy (unlike ultrasonic and 
microwave volumetric intrusion detectors that are “active” in operation). PIRs are able to distinguish if an infrared emitting object is present by first learning the 
ambient temperature of the monitored space and then detecting a change in the temperature caused by the presence of an object. Using the principle of 
differentiation, which is a check of presence or nonpresence, PIRs verify if an intruder or object is actually there. Creating individual zones of detection where each 
zone comprises one or more layers can achieve differentiation. Between the zones there are areas of no sensitivity (dead zones) that are used by the sensor for 
comparison. 

Ultrasonic detectors 

Using frequencies between 15 kHz and 75 kHz, these active detectors transmit ultrasonic sound waves that are inaudible to humans. The Doppler shift principle is 
the underlying method of operation, in which a change in frequency is detected due to object motion. This is caused when a moving object changes the frequency 
of sound waves around it. Two conditions must occur to successfully detect a Doppler shift event: 

There must be motion of an object either towards or away from the receiver. 

The motion of the object must cause a change in the ultrasonic frequency to the receiver relative to the transmitting frequency. 

The ultrasonic detector operates by the transmitter emitting an ultrasonic signal into the area to be protected. The sound waves are reflected by solid objects (such 
as the surrounding floor, walls and ceiling) and then detected by the receiver. Because ultrasonic waves are transmitted through air, then hard-surfaced objects 
tend to reflect most of the ultrasonic energy, while soft surfaces tend to absorb most energy. 

When the surfaces are stationary, the frequency of the waves detected by the receiver will be equal to the transmitted frequency. However, a change in frequency 
will occur as a result of the Doppler principle, when a person or object is moving towards or away from the detector. Such an event initiates an alarm signal. This 
technology is considered obsolete by many alarm professionals, and is not actively installed. 

Microwave detectors 

This device emits microwaves from a transmitter and detects any reflected microwaves or reduction in beam intensity using a receiver. The transmitter and 
receiver are usually combined inside a single housing (monostatic) for indoor applications, and separate housings (bistatic) for outdoor applications. To reduce 
false alarms this type of detector is usually combined with a passive infrared detector or "Dualtec" alarm. 

Microwave detectors respond to a Doppler shift in the frequency of the reflected energy, by a phase shift, or by a sudden reduction of the level of received energy. 
Any of these effects may indicate motion of an intruder. 

Photo-electric beams 

Photoelectric beam systems detect the presence of an intruder by transmitting visible or infrared light beams across an area, where these beams may be 
obstructed. To improve the detection surface area, the beams are often employed in stacks of two or more. However, if an intruder is aware of the technology's 
presence, it can be avoided. The technology can be an effective long-range detection system, if installed in stacks of three or more where the transmitters and 
receivers are staggered to create a fence-like barrier. Systems are available for both internal and external applications. To prevent a clandestine attack using a 
secondary light source being used to hold the detector in a 'sealed’ condition whilst an intruder passes through, most systems use and detect a modulated light 
source. 

Glass break detectors 

The glass break detector may be used for internal perimeter building protection. When glass breaks it generates sound in a wide band of frequencies. These can 
range from infrasonic, which is below 20 hertz (Hz) and can not be heard by the human ear, through the audio band from 20 Hz to 20 kHz which humans can hear, 
right up to ultrasonic, which is above 20 kHz and again cannot be heard. Glass break acoustic detectors are mounted in close proximity to the glass panes and 
listen for sound frequencies associated with glass breaking. Seismic glass break detectors are different in that they are installed on the glass pane. When glass 
breaks it produces specific shock frequencies which travel through the glass and often through the window frame and the surrounding walls and ceiling. Typically, 
the most intense frequencies generated are between 3 and 5 kHz, depending on the type of glass and the presence of a plastic interlayer. Seismic glass break 
detectors “feel” these shock frequencies and in turn generate an alarm condition. 

The more primitive detection method involves gluing a thin strip of conducting foil on the inside of the glass and putting low-power electrical current through it. 
Breaking the glass is practically guaranteed to tear the foil and break the circuit. 

Smoke, heat, and carbon monoxide detectors 
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C:\Users\MCS\Desktop\1.jpg Heat Detection System 

Most systems may also be equipped with smoke, heat, and/or carbon monoxide detectors. These are also known as 24 hour zones (which are on at all times). 
Smoke detectors and heat detectors protect from the risk of fire and carbon monoxide detectors protect from the risk of carbon monoxide. Although an intruder 
alarm panel may also have these detectors connected, it may not meet all the local fire code requirements of a fire alarm system. 

Other types of volumetric sensors could be: 

Active Infrared 

Passive Infrared/Microware combined Radar 

Accoustical Sensor/Audio Vibration Sensor (seismic) Air Turbulence 


NEW QUESTION 28 
- (Topic 1) 
Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? 


A. The Take-Grant model 

B. The Biba integrity model 

C. The Clark Wilson integrity model 
D. The Bell-LaPadula integrity model 


Answer: C 


Explanation: 

The Clark Wilson integrity model addresses the three following integrity goals: 1) data is protected from modification by unauthorized users; 2) data is protected 
from unauthorized modification by authorized users; and 3) data is internally and externally consistent. It also defines a Constrained Data Item (CDI), an Integrity 
Verification Procedure (IVP), a Transformation Procedure (TP) and an Unconstrained Data item. The Bell-LaPadula and Take-Grant models are not integrity 
models. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architecture and Models (page 205). 


NEW QUESTION 29 
- (Topic 1) 
A network-based vulnerability assessment is a type of test also referred to as: 


A. An active vulnerability assessment. 

B. A routing vulnerability assessment. 

C. A host-based vulnerability assessment. 
D. A passive vulnerability assessment. 


Answer: A 


Explanation: 

A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets 
to infer weaknesses from their responses. 

Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability 
systems. 

There are mostly two main types of test: 

PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your 
target. 

ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services 
runnings, port state, and more. 

See example below of both types of attacks: 

Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, 
message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to 
detect and stop them. 

Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually 
doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack. 
IMPORTANT NOTE: 

On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms 
but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason below: 

"lam a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus and Retina (among other tools) to perform our network 
based vulnerability scanning. Both commercially available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials, the scan 
tool cannot login to the system being scanned, and as such will only receive a port scan to see what ports are open and exploitable" 

Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw- Hill. Kindle Edition. 

and 
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DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 97). 


NEW QUESTION 34 
- (Topic 1) 
Which one of the following authentication mechanisms creates a problem for mobile users? 


A. Mechanisms based on IP addresses 
B. Mechanism with reusable passwords 
C. one-time password mechanism. 
D. challenge response mechanism. 


Answer: A 


Explanation: 

Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the 
next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes 
to a different client each time and the address changes every time he connects to the ISP. 

NOTE FROM CLEMENT: 

The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and changing location. With smartphone today that may not 
be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question 
is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well. 

The following answers are incorrect: 

mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least 
secure and change only at specific interval. 

one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a 
clock and not on the IP address of the user. 

challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users. 


NEW QUESTION 38 
- (Topic 1) 
Which of the following access control models is based on sensitivity labels? 


A. Discretionary access control 
B. Mandatory access control 
C. Rule-based access control 
D. Role-based access control 


Answer: B 


Explanation: 

Access decisions are made based on the clearance of the subject and the sensitivity label of the object. 

Example: Eve has a "Secret" security clearance and is able to access the "Mugwump Missile Design Profile" because its sensitivity label is "Secret." She is denied 
access to the "Presidential Toilet Tissue Formula" because its sensitivity label is "Top Secret." 

The other answers are not correct because: 

Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner. For example, Joe owns the "Secret Chili Recipe" and 
grants read access to Charles. 

Role Based Access Control is incorrect because in RBAC access decsions are made based on the role held by the user. For example, Jane has the role "Auditor" 
and that role includes read permission on the "System Audit Log.” 

Rule Based Access Control is incorrect because it is a form of MAC. A good example would be a Firewall where rules are defined and apply to anyone connecting 
through the firewall. 

References: 

Allin One third edition, page 164. Official ISC2 Guide page 187. 


NEW QUESTION 39 
- (Topic 1) 
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? 


A. Using a TACACS+ server. 

B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. 
C. Setting modem ring count to at least 5. 

D. Only attaching modems to non-networked hosts. 


Answer: B 


Explanation: 

Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the 
firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet. 

The use of a TACACS+ Server by itself cannot eliminate hacking. 

Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers. 

Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked. 

Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers. 


NEW QUESTION 40 
- (Topic 1) 
Organizations should consider which of the following first before allowing external access to their LANs via the Internet? 


A. plan for implementing workstation locking mechanisms. 


B. plan for protecting the modem pool. 
C. plan for providing the user with his account usage information. 
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D. plan for considering proper authentication options. 


Answer: D 


Explanation: 

Before a LAN is connected to the Internet, you need to determine what the 

access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through 
access control. 

The following answers are incorrect: 

plan for implementing workstation locking mechanisms. This is incorrect because locking the workstations have no impact on the LAN or Internet access. 

plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact on the LAN or Internet access, it just protects the modem. 
plan for providing the user with his account usage information. This is incorrect because the question asks what should be done first. While important your primary 
concern should be focused on security. 


NEW QUESTION 43 
- (Topic 1) 
Which of the following biometric devices has the lowest user acceptance level? 


A. Retina Scan 

B. Fingerprint scan 

C. Hand geometry 

D. Signature recognition 


Answer: A 


Explanation: 
According to the cited reference, of the given options, the Retina scan has the lowest user acceptance level as it is needed for the user to get his eye close to a 
device and it is not user friendly and very intrusive. 
However, retina scan is the most precise with about one error per 10 millions usage. Look at the 2 tables below. If necessary right click on the image and save it on 
your 
desktop for a larger view or visit the web site directly at 
https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy . Biometric Comparison Chart 
BIOMETRICS COMPARISON CHART 
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Biometric Aspect Descriptions Reference(s) used for this question: 

RHODES, Keith A., Chief Technologist, United States General Accounting Office, National Preparedness, Technologies to Secure Federal Buildings, April 2002 
(page 10). 

and 

https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy 


NEW QUESTION 46 
- (Topic 1) 
Which of the following is most relevant to determining the maximum effective cost of access control? 


A. the value of information that is protected 

B. management's perceptions regarding data importance 

C. budget planning related to base versus incremental spending. 
D. the cost to replace lost data 
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Answer: A 


Explanation: 
The cost of access control must be commensurate with the value of the information that is being protected. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49. 


NEW QUESTION 48 
- (Topic 1) 
Single Sign-on (SSO) is characterized by which of the following advantages? 


A. Convenience 

B. Convenience and centralized administration 

C. Convenience and centralized data administration 

D. Convenience and centralized network administration 


Answer: B 


Explanation: 

Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized 
Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete 
accounts across the entire network from one user interface. 

The following answers are incorrect: 

Convenience - alone this is not the correct answer. 

Centralized Data or Network Administration - these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed 
with just an SSO. 

References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35. 

TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180. 


NEW QUESTION 50 
- (Topic 1) 
Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations? 


A. Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access 
to. 

B. The initial logon process is cumbersome to discourage potential intruders. 

C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. 

D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems 


Answer: A 


Explanation: 

Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and 
secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is 
if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. 

All the other answers are incorrect as they are distractors. 


NEW QUESTION 53 
- (Topic 1) 
Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity? 


A. Discretionary Access Control 
B. Mandatory Access Control 
C. Sensitive Access Control 

D. Role-based Access Control 


Answer: A 


Explanation: 

Data owners decide who has access to resources based only on the identity of the person accessing the resource. 

The following answers are incorrect : 

Mandatory Access Control : users and data owners do not have as much freedom to determine who can access files. The operating system makes the final 
decision and can override the users' wishes and access decisions are based on security labels. 

Sensitive Access Control : There is no such access control in the context of the above question. 

Role-based Access Control : uses a centrally administered set of controls to determine how subjects and objects interact , also called as non discretionary access 
control. 

In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. The operating system 
makes the final decision and can override the users’ wishes. This model is much more structured and strict and is based on a security label system. Users are 
given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the 
security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based 
on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the 
security officer, configured by the administrator, enforced by the operating system, and supported by security technologies 

Reference : Shon Harris , AlO v3 , Chapter-4 : Access Control , Page : 163-165 


NEW QUESTION 54 
- (Topic 1) 
Which security model is based on the military classification of data and people with clearances? 


A. Brewer-Nash model 
B. Clark-Wilson model 
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C. Bell-LaPadula model 
D. Biba model 


Answer: C 


Explanation: 

The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a 
classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity. 

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. 


NEW QUESTION 55 
- (Topic 1) 
What is the main objective of proper separation of duties? 


A. To prevent employees from disclosing sensitive information. 
B. To ensure access controls are in place. 

C. To ensure that no single individual can compromise a system. 
D. To ensure that audit trails are not tampered with. 


Answer: C 


Explanation: 

The primary objective of proper separation of duties is to ensure that one person acting alone cannot compromise the company's security in any way. A proper 
separation of duties does not prevent employees from disclosing information, nor does it ensure that access controls are in place or that audit trails are not 
tampered with. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 12: Operations Security (Page 808). 


NEW QUESTION 59 
- (Topic 1) 
Which of the following would constitute the best example of a password to use for access to a system by a network administrator? 


A. holiday 

B. Christmas12 
C. Jenny 

D. GyN19Za! 


Answer: D 


Explanation: 

GyN19Za! would be the the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special 
character making it less vulnerable to password attacks. 

All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The 
addition of a number to the end of a common word only marginally strengthens it because a common password attack would also check combinations of words: 
Christmas23 Christmas1 23 etc... 


NEW QUESTION 62 
- (Topic 1) 
Which of the following is not a physical control for physical security? 


A. lighting 
B. fences 
C. training 
D. facility construction materials 


Answer: C 


Explanation: 

Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls include facility selection and construction, 
facility management, personnel controls, training, and emergency response and procedures. 

From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 3rd. Ed., Chapter 6, page 403. 


NEW QUESTION 67 

- (Topic 1) 

Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used for Authentication. When one of these item listed above in 
conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following? 


A. Multi-party authentication 
B. Two-factor authentication 
C. Mandatory authentication 
D. Discretionary authentication 


Answer: B 


Explanation: 

Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost 
all fall under three major areas. 

There are three fundamental types of authentication: Authentication by knowledge—something a person knows 

Authentication by possession—something a person has 

Authentication by characteristic—something a person is Logical controls related to these types are called “factors.” 
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Something you know can be a password or PIN, something you have can be a token fob or smart card, and something you are is usually some form of biometrics. 
Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is 
the combination of all three factors. 

The general term for the use of more than one factor during authentication is multifactor authentication or strong authentication. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 2367-2379). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 71 
- (Topic 1) 
RADIUS incorporates which of the following services? 


A. Authentication server and PIN codes. 

B. Authentication of clients and static passwords generation. 

C. Authentication of clients and dynamic passwords generation. 

D. Authentication server as well as support for Static and Dynamic passwords. 


Answer: D 


Explanation: 

A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to 

designated RADIUS servers, and then acting on the response which is returned. 

RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the 
client to deliver service to the user. 

RADIUS authentication is based on provisions of simple username/password credentials. 

These credentials are encrypted 

by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page 513 

RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords. 

Since it uses the PAP and CHAP protocols, it also incluses static passwords. 

RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared 
Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138. 

The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service. 

The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, 
two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access. 

Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the 
security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password. 

Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, 
unpredictable authentication requests can protect against a wide range of active attacks. 

RADIUS: Key Features and Benefits Features Benefits 

RADIUS supports dynamic passwords and challenge/response passwords. Improved system security due to the fact that passwords are not static. 

It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms. 

RADIUS allows the user to have a single user ID and password for all computers in a network. 

Improved usability due to the fact that the user has to remember only one login combination. 

RADIUS is able to: 

Prevent RADIUS users from logging in via login (or ftp). Require them to log in via login (or ftp) 

Require them to login to a specific network access server (NAS); Control access by time of day. 

Provides very granular control over the types of logins allowed, on a per-user basis. The time-out interval for failing over from an unresponsive primary RADIUS 
server toa 

backup RADIUS server is site-configurable. 

RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices. 

Stratus Technology Product Brief http:/Awww.stratus.com/products/vos/openvos/radius.htm 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 
44. 

Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46. 


NEW QUESTION 74 
- (Topic 1) 
Which TCSEC class specifies discretionary protection? 


Answer: D 


Explanation: 
C1 involves discretionary protection, C2 involves controlled access protection, B1 involves labeled security protection and B2 involves structured protection. 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 78 

- (Topic 1) 

Guards are appropriate whenever the function required by the security program involves which of the following? 
A. The use of discriminating judgment 

B. The use of physical force 

C. The operation of access control devices 

D. The need to detect unauthorized access 


Answer: A 
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Explanation: 

The Answer The use of discriminating judgment, a guard can make the determinations that hardware or other automated security devices cannot make due to its 
ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment. Guards are better 
at making value decisions at times of incidents. They are appropriate whenever immediate, discriminating judgment is required by the security entity. 

The following answers are incorrect: 

The use of physical force This is not the best answer. A guard provides discriminating judgment, and the ability to discern the need for physical force. 

The operation of access control devices A guard is often uninvolved in the operations of an automated access control device such as a biometric reader, a smart 
lock, mantrap, etc. The need to detect unauthorized access The primary function of a guard is not to detect unauthorized access, but to prevent unauthorized 
physical access attempts and may deter social engineering attempts. 

The following reference(s) were/was used to create this question: 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: 
Physical security (page 339). 

Source: ISC2 Offical Guide to the CBK page 288-289. 


NEW QUESTION 81 
- (Topic 1) 
Which of the following statements pertaining to biometrics is false? 


A. Increased system sensitivity can cause a higher false rejection rate 

B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate. 
C. False acceptance rate is also known as Type II error. 

D. Biometrics are based on the Type 2 authentication mechanism. 


Answer: D 


Explanation: 

Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based 
on the Type 3 authentication mechanism. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 37). 


NEW QUESTION 83 
- (Topic 1) 
Identification and authentication are the keystones of most access control systems. Identification establishes: 


A. User accountability for the actions on the system. 

B. Top management accountability for the actions on the system. 

C. EDP department accountability for the actions of users on the system. 
D. Authentication for actions on the system 


Answer: A 


Explanation: 

Identification and authentication are the keystones of most access control systems. Identification establishes user accountability for the actions on the system. 
The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be 
used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging 
system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. 

Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is. 
Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly 
called authentication by knowledge, authentication by ownership, and authentication by characteristic. 

For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights 
or privileges to perform the actions he is requesting. Once these steps are completed successfully, the user can access and use network resources; however, it is 
necessary to track the user’s activities and enforce accountability for his actions. 

Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a 
username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a 
password, passphrase, 
cryptographic key, personal identification number (PIN), anatomical attribute, or token. 

These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the 
subject is authenticated. But we are not done yet. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to 
determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control 
matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system 
determines that the subject may access the resource, it authorizes the subject. 

Although identification, authentication, authorization, and accountability have close and complementary definitions, each has distinct functions that fulfill a specific 
requirement in the process of access control. A user may be properly identified and authenticated to the network, but he may not have the authorization to access 
the files on the file server. On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, 
those resources are out of reach. 

Reference(s) used for this question: 

Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Access Control ((ISC)2 Press) (Kindle Locations 889-892). Auerbach 
Publications. Kindle Edition. 
and 
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3875-3878). McGraw-Hill. Kindle Edition. 
and 
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3833-3848). McGraw-Hill. Kindle Edition. 
and 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 


NEW QUESTION 84 
- (Topic 1) 
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources? 
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A. Micrometrics 

B. Macrometrics 
C. Biometrics 

D. MicroBiometrics 


Answer: C 


Explanation: 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35. 


NEW QUESTION 89 
- (Topic 1) 
In the CIA triad, what does the letter A stand for? 


A. Auditability 
B. Accountability 
C. Availability 
D. Authentication 


Answer: C 


Explanation: 
The CIA triad stands for Confidentiality, Integrity and Availability. 


NEW QUESTION 93 
- (Topic 1) 
Which of the following statements pertaining to access control is false? 


A. Users should only access data on a need-to-know basis. 

B. If access is not explicitly denied, it should be implicitly allowed. 

C. Access rights should be granted based on the level of trust a company has on a subject. 
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks. 


Answer: B 


Explanation: 

Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not 
explicitly allowed, it should be implicitly denied. 

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 4: Access Control (page 143). 


NEW QUESTION 95 

- (Topic 1) 

A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A 
database security mechanism that enforces this policy would typically be said to provide which of the following? 


A. Content-dependent access control 
B. Context-dependent access control 
C. Least privileges access control 

D. Ownership-based access control 


Answer: A 


Explanation: 

When access control is based on the content of an object, it is considered to be content dependent access control. 

Content-dependent access control is based on the content itself. The following answers are incorrect: 

context-dependent access control. Is incorrect because this type of control is based on what the context is, facts about the data rather than what the object 
contains. 

least privileges access control. Is incorrect because this is based on the least amount of rights needed to perform their jobs and not based on what is contained in 
the database. ownership-based access control. Is incorrect because this is based on the owner of the data and and not based on what is contained in the 
database. 

References: 

OIG CBK Access Control (page 191) 


NEW QUESTION 96 
- (Topic 1) 
The Orange Book is founded upon which security policy model? 


A. The Biba Model 

B. The Bell LaPadula Model 
C. Clark-Wilson Model 

D. TEMPEST 


Answer: B 
Explanation: 
From the glossary of Computer Security Basics: 


The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, "A formal state 
transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into 
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abstract sets of subjects and objects. The notion of secure state is defined and it is proven that each state transition preserves security by moving from secure 
state to secure state; thus, inductively proving the system is secure. A system state is defined to be 'secure' if the only permitted access modes of subjects to 
objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is 
compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode." 

The Biba Model is an integrity model of computer security policy that describes a set of rules. In this model, a subject may not depend on any object or other 
subject that is less trusted than itself. 

The Clark Wilson Model is an integrity model for computer security policy designed for a commercial environment. It addresses such concepts as nondiscretionary 
access control, privilege separation, and least privilege. TEMPEST is a government program that prevents the compromising electrical and electromagnetic signals 
that emanate from computers and related equipment from being intercepted and deciphered. 

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991. 

Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). 


NEW QUESTION 101 
- (Topic 1) 
How would nonrepudiation be best classified as? 


A. A preventive control 

B. A logical control 

C. A corrective control 

D. A compensating control 


Answer: A 


Explanation: 

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the 
mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. 

Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of 
Standards and Technology, December 2001, page 7. 


NEW QUESTION 104 
- (Topic 1) 
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: 


A. Mandatory Access Control 

B. Discretionary Access Control 

C. Non-Discretionary Access Control 
D. Rule-based Access control 


Answer: C 


Explanation: 

A central authority determines what subjects can have access to certain objects based on the organizational security policy. 

The key focal point of this question is the 'central authority’ that determines access rights. Cecilia one of the quiz user has sent me feedback informing me that 
NIST defines MAC as: 

"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL 

AUTHORITY. Which seems to indicate there could be two good answers to this question. 

However if you read the NISTR document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC policy. So MAC is a 
form of NDAC policy. 

Within the same document it is also mentioned: "In general, all access control policies other than DAC are grouped in the category of non- discretionary access 
control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish 
controls that cannot be changed by users, but only through administrative action." 

Under NDAC you have two choices: 

Rule Based Access control and Role Base Access Control 

MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC. It is a subset of NDAC. 

This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look 
closely if one of the choices would be higher level or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because MAC is 
falling under NDAC through the use of Rule Based Access Control. 

The following are incorrect answers: MANDATORY ACCESS CONTROL 

In Mandatory Access Control the labels of the object and the clearance of the subject 

determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does 
the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or 
higher) than the object being accessed. 

The need for a MAC mechanism arises when the security policy of a system dictates that: 

* 1. Protection decisions must not be decided by the object owner. 

* 2. The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner). 

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the 
Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the “simple security rule,” or “no read up.” 

Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the 
“*-property” (pronounced 

“star property”) or “no write down.” The *-property is required to maintain system security in an automated environment. 

DISCRETIONARY ACCESS CONTROL 

In Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, 
not one central authority. 

DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who is authorized to control the object's access. For example, 
it is generally used to limit a user's access to a file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by the owner 
may have some combination of read, write, execute, and other permissions to the file. 

DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons: 
First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann’s file to an 
object that Bob controls. Bob may now grant any other user access to the copy of Ann’s file without Ann’s knowledge. 

Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for 
Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann’s files. When investigating the problem, the audit 
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files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows: 

Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a 
system. 

No restrictions apply to the usage of information when the user has received it. 

The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization’s security 
requirements. 

ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even 
though not designed with DAC in mind, may have the capabilities to implement a DAC policy. 

RULE BASED ACCESS CONTROL 

In Rule-based Access Control a central authority could in fact determine what subjects can 

have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer. 

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is 
important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. 
“Rule-based access” is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control 
encompasses a broad range of systems. RUuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access 
request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, 
which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. 
Sometime roles to subjects (based on their attributes) are assigned as well. RUBAC meets the business needs as well as the technical needs of controlling service 
access. It allows business rules to be applied to access control—for example, customers who have overdue balances may be denied service access. As a 
mechanism for MAC, rules of RUBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as 
domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The 
router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If 
employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in 
conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role- 
based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy 
engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of 
software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation 
to the data and the application's function. In addition, individuals within each group have different job responsibilities that may be identified using several types of 
attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access 
between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based 
access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance. 
References used for this question: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and 

AIO v3 p162-167 and OIG (2007) p.186-191 

also 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 108 
- (Topic 1) 
In biometrics, "one-to-many" search against database of stored biometric images is done in: 


A. Authentication 

B. Identification 

C. Identities 

D. Identity-based access control 


Answer: B 


Explanation: 
In biometrics, identification is a "one-to-many" search of an individual's characteristics from a database of stored images. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 111 

- (Topic 1) 

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and 
content of a system. It does not permit management to: 


A. specify what users can do 

B. specify which resources they can access 

C. specify how to restrain hackers 

D. specify what operations they can perform on a system. 


Answer: C 


Explanation: 

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and 
content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. 
Specifying HOW to restrain hackers is not directly linked to access control. 

Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 12. 


NEW QUESTION 112 

- (Topic 1) 

What is the primary role of smartcards in a PKI? 

A. Transparent renewal of user keys 

B. Easy distribution of the certificates between the users 

C. Fast hardware encryption of the raw data 

D. Tamper resistant, mobile storage and application of private keys of the users 


Answer: D 
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Explanation: 

Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 139; 

SNYDER, J., What is a SMART CARD?. 

Wikipedia has a nice definition at: http://en.wikipedia.org/wiki/Tamper_resistance Security 

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an 
attacker from 

retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the 
embedded software, which should contain the appropriate security measures. 

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip. 

It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including: 

physical attack of various forms (microprobing, drills, files, solvents, etc.) freezing the device 

applying out-of-spec voltages or power surges applying unusual clock signals 

inducing software errors using radiation 

measuring the precise time and power requirements of certain operations (see power analysis) 

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or 
out-of- specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been 
crippled. 

Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and perhaps obtain numerous other samples for testing and 
practice, means that it is practically impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important 
elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device 
does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from 
compromising a single device (plus, perhaps, a little more for kudos). Since the most sophisticated attacks have been estimated to cost several hundred thousand 
dollars to carry out, carefully designed systems may be invulnerable in practice. 


NEW QUESTION 113 
- (Topic 1) 
Who developed one of the first mathematical models of a multilevel-security computer system? 


A. Diffie and Hellman. 
B. Clark and Wilson. 

C. Bell and LaPadula. 
D. Gasser and Lipner. 


Answer: C 


Explanation: 

In 1973 Bell and LaPadula created the first mathematical model of a multi- level security system. 

The following answers are incorrect: 

Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography. 

Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark-Wilson model came later, 1987. 
Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model. 


NEW QUESTION 116 

- (Topic 1) 

Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such 
as in a biometric authentication system, the system becomes increasingly selective and has the possibility of generating: 


A. Lower False Rejection Rate (FRR) 
B. Higher False Rejection Rate (FRR) 
C. Higher False Acceptance Rate (FAR) 
D. It will not affect either FAR or FRR 


Answer: B 


Explanation: 

Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such 
as in a biometric authentication system, the system becomes increasingly selective and has a higher False Rejection Rate (FRR). 

Conversely, if the sensitivity is decreased, the False Acceptance Rate (FRR) will increase. Thus, to have a valid measure of the system performance, the Cross 
Over Error (CER) rate is used. The Crossover Error Rate (CER) is the point at which the false rejection rates and the false acceptance rates are equal. The lower 
the value of the CER, the more accurate the system. 

There are three categories of biometric accuracy measurement (all represented as percentages): 

False Reject Rate (a Type | Error): When authorized users are falsely rejected as unidentified or unverified. 

False Accept Rate (a Type II Error): When unauthorized persons or imposters are falsely accepted as authentic. 

Crossover Error Rate (CER): The point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more 
accurate the system. 

NOTE: 

Within the ISC2 book they make use of the term Accept or Acceptance and also Reject or Rejection when referring to the type of errors within biometrics. Below 
we make use of Acceptance and Rejection throughout the text for conistency. However, on the real exam you could see either of the terms. 

Performance of biometrics 

Different metrics can be used to rate the performance of a biometric factor, solution or application. The most common performance metrics are the False 
Acceptance Rate FAR and the False Rejection Rate FRR. 

When using a biometric application for the first time the user needs to enroll to the system. The system requests fingerprints, a voice recording or another biometric 
factor from the 

operator, this input is registered in the database as a template which is linked internally to a user ID. The next time when the user wants to authenticate or identify 
himself, the biometric input provided by the user is compared to the template(s) in the database by a matching algorithm which responds with acceptance (match) 
or rejection (no match). 

FAR and FRR 

The FAR or False Acceptance rate is the probability that the system incorrectly authorizes a non-authorized person, due to incorrectly matching the biometric input 
with a valid template. The FAR is normally expressed as a percentage, following the FAR definition this is the percentage of invalid inputs which are incorrectly 
accepted. 

The FRR or False Rejection Rate is the probability that the system incorrectly rejects access to an authorized person, due to failing to match the biometric input 
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provided by the user with a stored template. The FRR is normally expressed as a percentage, following the FRR definition this is the percentage of valid inputs 
which are incorrectly rejected. 

FAR and FRR are very much dependent on the biometric factor that is used and on the technical implementation of the biometric solution. Furthermore the FRR is 
strongly person dependent, a personal FRR can be determined for each individual. 

Take this into account when determining the FRR of a biometric solution, one person is insufficient to establish an overall FRR for a solution. Also FRR might 
increase due to environmental conditions or incorrect use, for example when using dirty fingers on a fingerprint reader. Mostly the FRR lowers when a user gains 
more experience in how to use the biometric device or software. 

FAR and FRR are key metrics for biometric solutions, some biometric devices or software even allow to tune them so that the system more quickly matches or 
rejects. Both FRR and FAR are important, but for most applications one of them is considered most important. Two examples to illustrate this: 

When biometrics are used for logical or physical access control, the objective of the application is to disallow access to unauthorized individuals under all 
circumstances. It is clear that a very low FAR is needed for such an application, even if it comes at the price of a higher FRR. 

When surveillance cameras are used to screen a crowd of people for missing children, the objective of the application is to identify any missing children that come 
up on the screen. When the identification of those children is automated using a face recognition software, this software has to be set up with a low FRR. As such 
a higher number of matches will be false positives, but these can be reviewed quickly by surveillance personnel. 

False Acceptance Rate is also called False Match Rate, and False Rejection Rate is sometimes referred to as False Non-Match Rate. 

crossover error rate 


Sensitivity 


crossover error rate 

Above see a graphical representation of FAR and FRR errors on a graph, indicating the CER 

CER 

The Crossover Error Rate or CER is illustrated on the graph above. It is the rate where both FAR and FRR are equal. 

The matching algorithm in a biometric software or device uses a (configurable) threshold which determines how close to a template the input must be for it to be 
considered a match. This threshold value is in some cases referred to as sensitivity, it is marked on the X axis of the plot. When you reduce this threshold there will 
be more false acceptance errors (higher FAR) and less false rejection errors (lower FRR), a higher threshold will lead to lower FAR and higher FRR. 

Speed 

Most manufacturers of biometric devices and softwares can give clear numbers on the time it takes to enroll as well on the time for an individual to be 
authenticated or identified using their application. If speed is important then take your time to consider this, 5 seconds might seem a short time on paper or when 
testing a device but if hundreds of people will use the device multiple times a day the cumulative loss of time might be significant. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third 

Edition ((ISC)2 Press) (Kindle Locations 2723-2731). Auerbach Publications. Kindle Edition. 

and 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37. 

and 

http :/Awww.biometric-solutions.com/index.php?story=performance_biometrics 


NEW QUESTION 120 
- (Topic 1) 
Which of the following is the WEAKEST authentication mechanism? 


A. Passphrases 

B. Passwords 

C. One-time passwords 
D. Token devices 


Answer: B 


Explanation: 

Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above. 
The following answers are incorrect because : 

Passphrases is incorrect as it is more secure than a password because it is longer. 

One-time passwords is incorrect as the name states , it is good for only once and cannot be reused. 

Token devices is incorrect as this is also a password generator and is an one time 

password mechanism. 

Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 139 , 142. 


NEW QUESTION 123 

- (Topic 1) 

What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for 
granting access? 


A. Clark and Wilson Model 


B. Harrison-Ruzzo-Ullman Model 
C. Rivest and Shamir Model 
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D. Bell-LaPadula Model 
Answer: D 


Explanation: 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 128 
- (Topic 1) 
Which of the following remote access authentication systems is the most robust? 


A. TACACS+ 
B. RADIUS 
C. PAP 

D. TACACS 


Answer: A 


Explanation: 

TACACS+ is a proprietary Cisco enhancement to TACACS and is more robust than RADIUS. PAP is not a remote access authentication system but a remote 
node security protocol. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: 
Telecommunications and Network Security (page 122). 


NEW QUESTION 129 
- (Topic 1) 
Which of the following is not a two-factor authentication mechanism? 


A. Something you have and something you know. 
B. Something you do and a password. 

C. Asmartcard and something you are. 

D. Something you know and a password. 


Answer: D 


Explanation: 

Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, 
thereby something you know and a password does not constitute a two-factor authentication as both are in the same category of factors. 

A two-factor (strong) authentication relies on two different kinds of authentication factors out of a list of three possible choice: 

something you know (e.g. a PIN or password), 

something you have (e.g. a smart card, token, magnetic card), 

something you are is mostly Biometrics (e.g. a fingerprint) or something you do (e.g. signature dynamics). 

TIP FROM CLEMENT: 

On the real exam you can expect to see synonyms and sometimes sub-categories under the main categories. People are familiar with Pin, Passphrase, Password 
as subset of Something you know. 

However, when people see choices such as Something you do or Something you are they immediately get confused and they do not think of them as subset of 
Biometrics where you have Biometric implementation based on behavior and physilogical attributes. So something you do falls under the Something you are 
category as a subset. 

Something your do would be signing your name or typing text on your keyboard for example. 

Strong authentication is simply when you make use of two factors that are within two different categories. 

Reference(s) used for this question: 

Shon Harris, CISSP All In One, Fifth Edition, pages 158-159 


NEW QUESTION 131 
- (Topic 1) 
Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level? 


A. The Bell-LaPadula model 
B. The information flow model 
C. The noninterference model 
D. The Clark-Wilson model 


Answer: C 


Explanation: 

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can 
see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a 
noninterference model minimizes leakages that might happen through a covert channel. 

The model ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. 

It is not concerned with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an 
action, it can not change the state for the entity at the lower level. 

The model also addresses the inference attack that occurs when some one has access to some type of information and can infer(guess) something that he does 
not have the clearance level or authority to know. 

The following are incorrect answers: 

The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned only with confidentiality and bases access control decisions on the classfication of 
objects and the clearences of subjects. 

The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow 
between objects based on security classes. Information will be allowed to flow only in accordance with the security policy. 

The Clark-Wilson model is incorrect. The Clark-Wilson model is concerned with change control and assuring that all modifications to objects preserve integrity by 
means of well- formed transactions and usage of an access triple (subjet - interface - object). 
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References: 

CBK, pp 325 - 326 

AlO3, pp. 290 - 291 

AlOv4 Security Architecture and Design (page 345) 

AlOv5 Security Architecture and Design (pages 347 - 348) 
https://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Models#Noninterf erence_Models 


NEW QUESTION 136 
- (Topic 1) 
Why should batch files and scripts be stored in a protected area? 


A. Because of the least privilege concept. 
B. Because they cannot be accessed by operators. 
C. Because they may contain credentials. 
D. Because of the need-to-know concept. 


Answer: C 


Explanation: 

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully. Operators might need 
access to batch files and scripts. The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the 
performance of authorized tasks. The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information 
required to perform official tasks or services. 

Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3) 


NEW QUESTION 141 
- (Topic 1) 
Kerberos can prevent which one of the following attacks? 


A. tunneling attack. 

B. playback (replay) attack. 
C. destructive attack. 

D. process attack. 


Answer: B 


Explanation: 

Each ticket in Kerberos has a timestamp and are subject to time expiration to 

help prevent these types of attacks. The following answers are incorrect: 

tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass security and access low-level systems. Kerberos cannot totally prevent these 
types of attacks. 

destructive attack. This is incorrect because depending on the type of destructive attack, Kerberos cannot prevent someone from physically destroying a server. 
process attack. This is incorrect because with Kerberos cannot prevent an authorzied individuals from running processes. 


NEW QUESTION 146 
- (Topic 1) 
What does the (star) integrity axiom mean in the Biba model? 


A. No read up 
B. No write down 
C. No read down 
D. No write up 


Answer: D 


Explanation: 

The (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of 
integrity (no write up). 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 205). 


NEW QUESTION 151 
- (Topic 1) 
Which of the following is not a logical control when implementing logical access security? 


A. access profiles. 

B. userids. 

C. employee badges. 
D. passwords. 


Answer: C 
Explanation: 
Employee badges are considered Physical so would not be a logical control. The following answers are incorrect: 


userids. Is incorrect because userids are a type of logical control. 
access profiles. Is incorrect because access profiles are a type of logical control. passwords. Is incorrect because passwords are a type of logical control. 


NEW QUESTION 154 
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- (Topic 1) 
Which access control model was proposed for enforcing access control in government and military applications? 


A. Bell-LaPadula model 
B. Biba model 

C. Sutherland model 

D. Brewer-Nash model 


Answer: A 


Explanation: 

The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports 
mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access 
control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash 
model, published in 1989, are concerned with integrity. 

Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 11). 


NEW QUESTION 159 

- (Topic 1) 

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access 
than what is required for the tasks the user needs to fulfill. What best describes this scenario? 


A. Excessive Rights 

B. Excessive Access 

C. Excessive Permissions 
D. Excessive Privileges 


Answer: D 


Explanation: 

Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. 
Reference(s) used for this question: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645. 

and 


NEW QUESTION 163 
- (Topic 1) 
What physical characteristic does a retinal scan biometric device measure? 


A. The amount of light reaching the retina 

B. The amount of light reflected by the retina 

C. The pattern of light receptors at the back of the eye 
D. The pattern of blood vessels at the back of the eye 


Answer: D 


Explanation: 

The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the 
brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina's four cell 
layers. 

The following answers are incorrect: 

The amount of light reaching the retina The amount of light reaching the retina is not used in the biometric scan of the retina. 

The amount of light reflected by the retina The amount of light reflected by the retina is not used in the biometric scan of the retina. 

The pattern of light receptors at the back of the eye This is a distractor The following reference(s) were/was used to create this question: Reference: Retina Scan 
Technology. 

ISC2 Official Guide to the CBK, 2007 (Page 161) 


NEW QUESTION 168 
- (Topic 1) 
The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: 


A. Preventive/physical 

B. Detective/technical 

C. Detective/physical 

D. Detective/administrative 


Answer: C 


Explanation: 
Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 


NEW QUESTION 173 
- (Topic 1) 
Which of the following is NOT part of the Kerberos authentication protocol? 


A. Symmetric key cryptography 


B. Authentication service (AS) 
C. Principals 
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D. Public Key 
Answer: D 


Explanation: 

There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component. 
The other answers are incorrect because : 

Symmetric key cryptography is a part of Kerberos as the KDC holds all the users' and 

services’ secret keys. 

Authentication service (AS) : KDC (Key Distribution Center) provides an authentication service 

Principals : Key Distribution Center provides services to principals , which can be users , applications or network services. 

References: Shon Harris , AIO v3 , Chapter - 4: Access Control , Pages : 152-155. 


NEW QUESTION 178 
- (Topic 1) 
What is one disadvantage of content-dependent protection of information? 


A. It increases processing overhead. 

B. It requires additional password entry. 

C. It exposes the system to data locking. 

D. It limits the user's individual address space. 


Answer: A 


Explanation: 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 179 
- (Topic 1) 
Because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to: 


A. neither physical attacks nor attacks from malicious code. 
B. physical attacks only 

C. both physical attacks and attacks from malicious code. 
D. physical attacks but not attacks from malicious code. 


Answer: C 


Explanation: 

Since all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both 
physical attacks and attacks from malicious code. 

Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42. 


NEW QUESTION 181 
- (Topic 1) 
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED? 


A. Type | error 

B. Type Il error 

C. Type Ill error 
D. Crossover error 


Answer: B 


Explanation: 

When the biometric system accepts impostors who should have been rejected , it is called a Type II error or False Acceptance Rate or False Accept Rate. 
Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of 
verifying identification. 

Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other types of identity verification processes. A biometric 
system can make authentication decisions based on an individual’s behavior, as in signature dynamics, but these can change over time and possibly be forged. 
Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because physical attributes typically 
don’t change much, absent some disfiguring injury, and are harder to impersonate. 

When a biometric system rejects an authorized individual, it is called a Type | error (False Rejection Rate (FRR) or False Reject Rate (FRR)). 

When the system accepts impostors who should be rejected, it is called a Type Il error (False Acceptance Rate (FAR) or False Accept Rate (FAR)). Type II errors 
are the most dangerous and thus the most important to avoid. 

The goal is to obtain low numbers for each type of error, but When comparing different biometric systems, many different variables are used, but one of the most 
important metrics is the crossover error rate (CER). 

The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and Failed Rejection Rate (FRR). Both are expressed as 
percentages. The FAR is the rate at which attempts by unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It measures the rate at 
which authorized users are denied access. 

The relationship between FRR (Type I) and FAR (Type II) is depicted in the graphic below . As one rate increases, the other decreases. The Cross-over Error Rate 
(CER) is sometimes considered a good indicator of the overall accuracy of a biometric system. This 

is the point at which the FRR and the FAR have the same value. Solutions with a lower CER are typically more accurate. 

See graphic below from Biometria showing this relationship. The Cross-over Error Rate (CER) is also called the Equal Error Rate (EER), the two are synonymous. 
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FAR FRR 


EER 


Percentage of times a false reject (FRR) 


and false accept (FAR) 


Treshold 


C:\Users\MCS\Desktop\1.jog Cross Over Error Rate 

The other answers are incorrect: 

Type | error is also called as False Rejection Rate where a valid user is rejected by the system. 

Type Ill error : there is no such error type in biometric system. 

Crossover error rate stated in percentage , represents the point at which false rejection equals the false acceptance rate. 
Reference(s) used for this question: http:/Awww.biometria.sk/en/principles-of-biometrics.html 

and 

Shon Harris, CISSP All In One (AIO), 6th Edition , Chapter 3, Access Control, Page 188- 189 

and 

Tech Republic, Reduce Multi_Factor Authentication Cost 


NEW QUESTION 184 
- (Topic 1) 
What is the main focus of the Bell-LaPadula security model? 


A. Accountability 
B. Integrity 

C. Confidentiality 
D. Availability 


Answer: C 


Explanation: 

The Bell-LaPadula model is a formal model dealing with confidentiality. 

The Bell—LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed 
by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel 
security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels 
on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or 
"Public"). 

The Bell—LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes 
rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. 

The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby 
inductively proving that the system satisfies the security objectives of the model. The Bell-LaPadula model is built on the concept of a state machine with a set of 
allowable states in a computer network system. The transition from one state to another state is defined by transition functions. 

A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a 
specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and 
set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. 

The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access 
control (DAC) rule with three security properties: 

The Simple Security Property - a subject at a given security level may not read an object at 

a higher security level (no read-up). 

The -property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also 
known as the Confinement property. 

The Discretionary Security Property - use of an access matrix to specify the discretionary access control. 

The following are incorrect answers: 

Accountability is incorrect. Accountability requires that actions be traceable to the user that performed them and is not addressed by the Bell-LaPadula model. 
Integrity is incorrect. Integrity is addressed in the Biba model rather than Bell-Lapadula. Availability is incorrect. Availability is concerned with assuring that 
data/services are available to authorized users as specified in service level objectives and is not addressed by the Bell-Lapadula model. 

References: CBK, pp. 325-326 

AlO3, pp. 279 - 284 

AlOv4 Security Architecture and Design (pages 333 - 336) AlOv5 Security Architecture and Design (pages 336 - 338) 

Wikipedia at https://en.wikipedia.org/wiki/Bell-La_Padula_model 


NEW QUESTION 189 

- (Topic 1) 

Which of the following exemplifies proper separation of duties? 
A. Operators are not permitted modify the system time. 

B. Programmers are permitted to use the system console. 

C. Console operators are permitted to mount tapes and disks. 
D. Tape operators are permitted to use the system console. 


Answer: A 
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Explanation: 

This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should 
be performed by they system administrators. 

AIO defines Separation of Duties as a security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a 
risky task by himself. 

The following answers are incorrect: 

Programmers are permitted to use the system console. Is incorrect because programmers should not be permitted to use the system console, this task should be 
performed by operators. Allowing programmers access to the system console could allow fraud to occur so this is not an example of Separation of Duties.. 
Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able to mount tapes and disks so this is not an example of 
Separation of Duties. 

Tape operators are permitted to use the system console. Is incorrect because operators should be able to use the system console so this is not an example of 
Separation of Duties. 

References: 

OIG CBK Access Control (page 98 - 101) AlOv3 Access Control (page 182) 


NEW QUESTION 192 

- (Topic 1) 

What mechanism automatically causes an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying to 
both the local police/fire station and the appropriate headquarters? 


A. Central station alarm 

B. Proprietary alarm 

C. A remote station alarm 
D. An auxiliary station alarm 


Answer: D 


Explanation: 

Auxiliary station alarms automatically cause an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying 
to both the local police/fire station and the appropriate headquarters. They are usually Municipal Fire Alarm Boxes are installed at your business or building, they 
are wired directly into the fire station. 

Central station alarms are operated by private security organizations. It is very similar to a proprietary alarm system (see below). However, the biggest difference is 
the monitoring and receiving of alarm is done off site at a central location manned by non staff members. It is a third party. 

Proprietary alarms are similar to central stations alarms except that monitoring is performed directly on the protected property. This type of alarm is usually use to 
protect large industrials or commercial buildings. Each of the buildings in the same vincinity has their own alarm system, they are all wired together at a central 
location within one of the building acting as a common receiving point. This point is usually far away from the other building so it is not under the same danger. It is 
usually man 24 hours a day by a trained team who knows how to react under different conditions. 

A remote station alarm is a direct connection between the signal-initiating device at the protected property and the signal-receiving device located at a remote 
station, such as the fire station or usually a monitoring service. This is the most popular type of implementation and the owner of the premise must pay a monthly 
monitoring fee. This is what most people use in their home where they get a company like ADT to receive the alarms on their behalf. 

A remote system differs from an auxiliary system in that it does not use the municipal fire of police alarm circuits. 

Reference(s) used for this question: 

ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 11: Physical Security (page 211). 

and 

Great presentation J.T.A. Stone on SlideShare 


NEW QUESTION 194 
- (Topic 1) 
Access Control techniques do not include which of the following? 


A. Rule-Based Access Controls 

B. Role-Based Access Control 

C. Mandatory Access Control 

D. Random Number Based Access Control 


Answer: D 


Explanation: 

Access Control Techniques Discretionary Access Control 

Mandatory Access Control Lattice Based Access Control Rule-Based Access Control Role-Based Access Control 

Source: DUPUIS, Clement, Access Control Systems and Methodology, Version 1, May 2002, CISSP Open Study Group Study Guide for Domain 1, Page 13. 


NEW QUESTION 198 
- (Topic 1) 
Which of the following biometric devices offers the LOWEST CER? 


A. Keystroke dynamics 
B. Voice verification 

C. Iris scan 

D. Fingerprint 


Answer: C 
Explanation: 
From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics. 


Reference : Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131 
Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometric-selection-body-parts-online_139 


NEW QUESTION 201 
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- (Topic 1) 
A confidential number used as an authentication factor to verify a user's identity is called a: 


A. PIN 

B. User ID 
C. Password 
D. Challenge 


Answer: A 


Explanation: 

PIN Stands for Personal Identification Number, as the name states it is a combination of numbers. 

The following answers are incorrect: 

User ID This is incorrect because a Userid is not required to be a number and a Userid is only used to establish identity not verify it. 
Password. This is incorrect because a password is not required to be a number, it could be any combination of characters. 
Challenge. This is incorrect because a challenge is not defined as a number, it could be anything. 


NEW QUESTION 202 

- (Topic 1) 

In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects 
based on the organizational security policy. The access controls may be based on: 


A. The societies role in the organization 

B. The individual's role in the organization 

C. The group-dynamics as they relate to the individual's role in the organization 
D. The group-dynamics as they relate to the master-slave role in the organization 


Answer: B 


Explanation: 

In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain 
objects based on the organizational security policy. The access controls may be based on the individual's role in the organization. 

Reference(S) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 205 

- (Topic 1) 

The throughput rate is the rate at which individuals, once enrolled, can be processed and 
identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: 


A. 100 subjects per minute. 
B. 25 subjects per minute. 
C. 10 subjects per minute. 
D. 50 subjects per minute. 


Answer: C 


Explanation: 

The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. 

Acceptable throughput rates are in the range of 10 subjects per minute. 

Things that may impact the throughput rate for some types of biometric systems may include: 

A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. 

Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 209 
- (Topic 1) 
How can an individual/person best be identified or authenticated to prevent local masquarading attacks? 


A. Userld and password 

B. Smart card and PIN code 
C. Two-factor authentication 
D. Biometrics 


Answer: D 


Explanation: 

The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., 
biometric 

identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they 
would have to be supplemented by another factor. 

Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is 
a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized 
for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the 
authentication mechanism. Spoofing is another term used to describe this type of attack as well. 

A Userld only provides for identification. 

A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more. 

A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have 
no clue as to who is really logging in using that smart card. 

Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person. 
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Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and 
verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur. 

As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is 
because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be 
accomplished by people, not cards and information, because unauthorized persons can (and do) obtain the cards and information. 

Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required. The authorized person does not lose 
physical characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten. This is why card access 
systems require systems and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost. 
NOTE FROM CLEMENT: 

This question has been generating lots of interest. The keyword in the question is: Individual (the person) and also the authenticated portion as well. 

| totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication. However the question is not asking what is the 
strongest mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology. When answering questions do not make 
assumptions to facts not presented in the question or answers. 

Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or 
Retina scan. This is why it is the best method to authenticate the user. 

| think the reference is playing with semantics and that makes it a bit confusing. | have improved the question to make it a lot clearer and | have also improve the 
explanations attached with the question. 

The reference mentioned above refers to authenticating the identity for access. So the distinction is being made that there is identity and there is authentication. In 
the case of physical security the enrollment process is where the identity of the user would be validated and then the biometrics features provided by the user 
would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates. In the case 
of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes. 

Biometric can also be used for Identification purpose where you do a one to many match. You take a facial scan of someone within an airport and you attempt to 
match it with a large database of known criminal and terrorists. This is how you could use biometric for Identification. 

There are always THREE means of authentication, they are: Something you know (Type 1) 

Something you have (Type 2) 

Something you are (Type 3) 

Reference(s) used for this question: 

TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification 
(page 7). 

and 

Search Security at http://searchsecurity.techtarget.com/definition/masquerade 


NEW QUESTION 211 
- (Topic 1) 
Which authentication technique best protects against hijacking? 


A. Static authentication 

B. Continuous authentication 
C. Robust authentication 

D. Strong authentication 


Answer: B 


Explanation: 

A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after 
the claimant/verifier authentication is complete. This is the best protection against hijacking. Static authentication is the type of authentication provided by 
traditional password schemes and the strength of the authentication is highly dependent on the difficulty of guessing passwords. The robust authentication 
mechanism relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, and it does not protect against 
hijacking. Strong authentication refers to a two-factor authentication (like something a user knows and something a user is). 

Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured 
Connections to External Networks (page 51). 


NEW QUESTION 213 
- (Topic 1) 
What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? 


owp 
numo» 


Answer: B 


Explanation: 

D or "minimal protection" is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level. 

A is incorrect. A or "Verified Protectection" is the highest trust level under the TCSEC. E is incorrect. The trust levels are A - D so "E" is not a valid trust level. 
F is incorrect. The trust levels are A - D so "F" is not a valid trust level. 

CBK, pp. 329 - 330 

AIO3, pp. 302 - 306 


NEW QUESTION 215 
- (Topic 1) 
Which of the following is NOT true of the Kerberos protocol? 


A. Only a single login is required per session. 

B. The initial authentication steps are done using public key algorithm. 

C. The KDC is aware of all systems in the network and is trusted by all of them 
D. It performs mutual authentication 


Answer: B 
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Explanation: 

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has 
the following characteristics: 

It is secure: it never sends a password unless it is encrypted. 

Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins. 

The concept depends on a trusted third party — a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them. 

It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client. 

Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS — a ticket is a 
time-limited 

cryptographic message — giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up 
a KDC. 

Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to 
gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 “The Kerberos 
Network Authorization Service (V5)”. 
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C:\Users\MCS\Desktop\1.jog Kerberos Authentication Step by Step 

Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket 
granting ticket (TGT). 

Step 2: The Authorization Server verifies the user’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the 
results using a key derived from the user’s password and sends a message back to the user workstation. 

The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to 
use the TGT to request a service ticket. 

Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, 
realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2. 

Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and 
optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message 
contains two copies of a server session key 

— one encrypted with the client password, and one encrypted by the service password. 

Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the 
request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described 
does not include the authorization performed by the Intel AMT device, as described later. 

Step 6: If mutual authentication is required, then the server will reply with a server authentication message. 

The Kerberos server knows "secrets" (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this 
information. These "secrets" are used to encrypt all of the messages shown in the figure above. 

To prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server 
need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often 
out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client's clock and server's clock. If the 
difference between a client's clock and the server's clock is less than the maximum time difference specified in this policy, any timestamp used in a session 
between the two computers will be considered authentic. The maximum difference is usually set to five minutes. 

Note that if a client application wishes to use a service that is "Kerberized" (the service is configured to perform Kerberos authentication), the client must also be 
Kerberized so that it expects to support the necessary message responses. 

For more information about Kerberos, see http://web.mit.edu/kerberos/www/. 

References: 

Introduction to Kerberos Authentication from Intel 

and 

http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1.3.5.3 and 

http://www. ietf.org/rfc/rfc4120.txt 
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